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Intellectual Property Rights 



IPRs essential or potentially essential to the present document may have been declared to ETSI. The information 
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Foreword 

This Technical Specification (TS) has been produced by ETSI Technical Committee Methods for Testing and 
Specification (MTS). 
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Scope 



The purpose of the present document is to provide Test Suite Structure and Test Purposes (TSS&TP) for conformance 

tests of the security IPv6 protocol based on the requirements defined in the IPv6 requirements catalogue 

(TS 102 558 [2]) and written according to the guidelines of TS 102 351 [1], ISO/IEC 9646-2 [4] and ETS 300 406 [5]. 



References 



The following documents contain provisions which, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication and/or edition number or version number) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. 

Referenced documents which are not found to be publicly available in the expected location might be found at 
http://docbox.etsi.org/Reference . 

NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee 
their long term validity. 

[ 1 ] ETSI TS 102 35 1 : "Methods for Testing and Specification (MTS); Internet Protocol Testing (IPT); 

IPv6 Testing: Methodology and Framework". 

[2] ETSI TS 102 558: "Methods for Testing and Specification (MTS); Internet Protocol Testing (IPT): 

IPv6 Security; Requirements Catalogue". 

[3] ISO/IEC 9646-1: "Information technology - Open Systems Interconnection - Conformance testing 

methodology and framework - Part 1: General concepts". 

[4] ISO/IEC 9646-2: "Information technology - Open Systems Interconnection - Conformance testing 

methodology and framework - Part 2: Abstract Test Suite specification". 

[5] ETSI ETS 300 406: "Methods for Testing and Specification (MTS); Protocol and profile 

conformance testing specifications; Standardization methodology". 



3 Definitions and abbreviations 

3.1 Definitions 

For the purposes of the present document, the following terms and definitions apply: 

abstract test case: Refer to ISO/IEC 9646-1 [3]. 

Abstract Test Method (ATM): Refer to ISO/IEC 9646-1 [3]. 

Abstract Test Suite (ATS): Refer to ISO/IEC 9646-1 [3]. 

Implementation Under Test (IUT): Refer to ISO/IEC 9646-1 [3]. 

Lower Tester (LT): Refer to ISO/IEC 9646-1 [3]. 

Test Purpose (TP): Refer to ISO/IEC 9646-1 [3]. 
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3.2 Abbreviations 

For the purposes of the present document, the following abbreviations apply: 

AH Authentication Header 

ATS Abstract Test Suite 

ESP Encapsulating Security Payload 

IETF Internet Engineering Task Force 

IKE Internet Key Exchange 

IPv6 Internet Protocol version 6 

IUT Implementation Under Test 

RC Requirements Catalogue 

RQ Requirement 

TP Test Purpose 

TSS Test Suite Structure 

UDP User Datagram Protocol 



Test Suite Structure (TSS) 



Test Purposes have been written for IPv6 mobile nodes, correspondent nodes and home agents according to the 
requirements (RQ) of the requirements catalogue (RC) in TS 102 558 [2], Test purposes have been written for 
behaviours requested with "MUST" or "SHOULD", optional behaviour described with "MAY" or similar wording 
indicating an option has not been turned into test purposes. 

The test purposes have been divided into three groups: 

Group 1 : Authentication Header (AH) 

Group 2: Encapsulating Security Payload (ESP) 

Group 3: Key Exchange (IKEv2) Protocol 

The sub-grouping of these three groups follows the structure of the RC. 

Group 1 : Authentication Header (AH) 

Group 2: Encapsulating Security Payload (ESP) 

Group 3: Key Exchange (IKEv2) Protocol 

Group 3.1 Exchange Message Structures 

Group 3.2 IKE Header and Payload Formats 

Group 3.2.1 Configuration payload 

Group 3.2.2 IKE Error Types 

Group 3.3 IKE Informational Exchanges 

Group 3.4 IKE Protocol 

Group 3.4.1 Authentication 

Group 3.4.1.1 Extensible Authentication Methods 

Group 3.4.2 Error Handling 

Group 3.4.3 General Protocol Handling 

Group 3.4.3.1 Address and Port Agility 

Group 3.4.3.2 IP Compression (IPComp) 



ETSI 



ETSI TS 102 593 V1 .1 .1 (2007-04) 



Group 3.4.3.3 Message Format 
Group 3.4.3.4 Overlapping Requests 
Group 3.4.3.5 Request Internal Address 
Group 3.4.3.6 Retransmission Timers 
Group 3.4.3.7 Version Compatibility 
Group 3.4.4 Security Parameter Negotiation 
Group 3.4.4.1 Algorithm Negotiation 
Group 3.4.4.2 Cookies 
Group 3.4.4.3 Rekeying 
Group 3.4.4.4 Traffic Selector Negotiation 
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Annex A (normative); 
Test Purposes (TP) 



The test purposes have been written in the formal notation TPlan as described in annex A of TS 102 351 [1]. This 
original textual output ASCII file (SEC.tplan) is contained in archive ts_102593v010101p0.zip which accompanies the 
present document. The raw text file has been converted to a table format in this annex to allow better readability. 

The two formats shall be considered equivalent. In the event that there appears to be syntactical or semantic differences 
between the two then the textual TPlan representation takes precedence over the table format in this annex. 



A.1 Authentication Header (AH) 



Test Purpose 



Identifier: 



TP SEC 2000 01 



Summary: 



Test of generating first unicast IPv6 packets with Authentication Header 



References: 



RQ_002_2000, RQ_002_2006, RQ_002_2011, RQ_002_2013, RQ_002_2015, RQ_002_2017, 
RQ_002_2027, RQ_002_2032, RQ_002_2033, RQ_002_2034, RQ_002_2036 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 2000 01 



with { IUT and destination_node established in an AH_security_association 



ensure that 
{ when 

then 



set to 
and containing 



IUT is requested to send first unicast IPv6Packet 

containing Authentication_Header } 
IUT sends IPv6Packet 

containing next_header_f ield of previous_header 
51 

(Authentication_Header 
containing Security_Parameters_Index 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequence_number set to 1 
and containing correctly calculated 
Integrity_Check_Value 
including necessary padding_bits) 
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Test Purpose 



Identifier: 



TP SEC 2000 02 



Summary: 



Test of generating subsequent unicast IPv6 packets with Authentication Header 



References: 



RQ_002_2000, RQ_002_2006, RQ_002_2011, RQ_002_2012, RQ_002_2015, RQ_002_2017, 
RQ 002 2027, RQ 002 2032, RQ 002 2033, RQ 002 2034, RQ 002 2036 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 2000 02 



with { IUT and destination_node established in an AH_security_association 



ensure that 
{ when 

then 



set to 
and containing 



IUT is requested to send subsequent unicast IPv6Packet 

containing Authentication_Header } 
IUT sends IPv6Packet 

containing next_header_f ield of previous_header 
51 

(Authentication_Header 
containing Security_Parameters_Index 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequence_number set to 

(sequence_number of previous IPv6Packet) plus 1 
and containing correctly calculated 
Integrity_Check_Value 
including necessary padding_bits) } 



Test Purpose 



Identifier: 



TP SEC 2000 03 



Summary: 



Test of generating first multicast IPv6 packets with Authentication Header 



References: 



RQ_002_2000, RQ_002_2007, RQ_002_2011, RQ_002_2013, RQ_002_2015, RQ_002_2017, 
RQ 002 2027, RQ 002 2032, RQ 002 2033, RQ 002 2034, RQ 002 2036 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 2000 03 



with 



IUT established in a multicast_group AH_Security_Association 



ensure that 
{ when 

then 



set to 
and containing 



IUT is requested to send first multicast IPv6Packet 

containing Authentication_Header } 
IUT sends IPv6Packet 

containing next_header_f ield of previous_header 
51 

(Authentication_Header 
containing Security_Parameters_Index 

assigned to multicast_group 

Security_Association 
and containing sequence_number set to 1 
and containing correctly calculated 

Integrity_Check_Value 

including necessary padding_bits) 
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Test Purpose 



Identifier: 



TP SEC 2000 04 



Summary: 



Test of generating subsequent multicast IPv6 packets with Authentication Header 



References: 



RQ_002_2000, RQ_002_2007, RQ_002_2011, RQ_002_2012, RQ_002_2015, RQ_002_2017, 
RQ 002 2027, RQ 002 2032, RQ 002 2033, RQ 002 2034, RQ 002 2036 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 2000 04 



with 



IUT established in multicast_group AH_Security_Association 



ensure that 
{ when 

then 



IUT is requested to send subsequent multicast IPv6Packet 

containing Authentication_Header } 
IUT sends IPv6Packet 

containing next_header_f ield of previous_header 
set to 51 
and containing (Authentication_Header 

containing Security_Parameters_Index 
set to Security_Parameters_Index 

assigned to multicast_group 

Security_Association 
and containing sequence_number set to 

(sequence_number of previous IPv6Packet) plus 1 
and containing correctly calculated 
Integrity_Check_Value 
including necessary padding_bits) } 



Test Purpose 


Identifier: 


TP SEC 2009 01 


Summary: 


Test reaction on multicast IPv6 packets for unknown multicast group SA 


References: 


RQ 002 2009, RQ 002 2008 


IUT Role 


Ipsec host | Test Case: | TC SEC 2009 01 


with { IUT established in multicast_group AH_Security_Association 

} 
ensure that 

{ when { IUT receives multicast IPv6Packet 

containing (Authentication_Header 

containing Security_Parameters_Index 
unrelated to established 

multicast_group Security_Association) } 
then { IUT discards IPv6Packet } 
} 



Test Purpose 


Identifier: 


TP SEC 2042 01 


Summary: 


Test reaction on IPv6 packets with AH header and fragmentation header 


References: 


RQ 002 2042 


IUT Role 


Ipsec host | Test Case: | TC SEC 2042 01 


with { IUT and destination_node established in an AH_security_association 


s 
ensure that 


{ when { IUT receives IPv6Packet 


containing Authentication_Header 


and containing (Fragment_Header 


containing offset not set to 0) } 


then { IUT discards IPv6Packet } 

} 
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Test Purpose 


Identifier: 


TP SEC 2046 01 


Summary: 


Test reaction on IPv6 packets with AH header when no SA exists 


References: 


RQ 002 2046 


IUT Role 


Ipsec host | Test Case: | TC SEC 2046 01 


with { IUT and destination_node not established in an AH_Security_Association 

} 
ensure that 

{ when { IUT receives IPv6Packet 

containing Authentication_Header } 
then { IUT discards IPv6Packet } 
} 



Test Purpose 


Identifier: 


TP SEC 2053 01 


Summary: 


Test reaction on IPv6 packets with AH header with incorrect sequence number 


References: 


RQ 002 2053 


IUT Role 


Ipsec host | Test Case: | TC SEC 2053 01 


with { 


IUT and destination_node established in an AH_security_association 




and IUT and destination_node 'having already exchanged 


} 
ensure 


at least one packet ' 


that 


{ 


when { IUT receives IPv6Packet 




containing (Authentication_Header 




containing sequence_number 




set to sequence_number received 




in previous IPv6packet) } 


} 


then { IUT discards IPv6Packet } 



Test Purpose 


Identifier: 


TP SEC 2057 01 


Summary: 


Test reaction on IPv6 packets with AH header with correct ICV value 


References: 


RQ 002 2057, RQ 002 2028 


IUT Role 


Ipsec host | Test Case: | TC SEC 2057 01 


with { 


IUT and destination_node established in an AH_security_association 


ensure 


that 


{ 


when { IUT receives IPv6Packet 




containing (Authentication_Header 




containing Integrity_Check_Value 




calculated from Security_Association_data 




and packet_contents) } 


} 


then { IUT accepts IPv6Packet } 
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Test Purpose 


Identifier: 


TP SEC 2058 01 


Summary: 


Test reaction on IPv6 packets with AH header with incorrect ICV value 


References: 


RQ 002 2058, RQ 002 2028 


IUT Role 


Ipsec host | Test Case: | TC SEC 2058 01 


with { IUT and destination_node established in an AH_security_association 


s 
ensure that 


{ when { IUT receives IPv6Packet 


containing (Authentication_Header 


containing Integrity_Check_Value 


not calculated from Security_Association_data 


and packet_contents) } 


then { IUT discards IPv6Packet } 

} 



A.2 Encapsulating Security Payload (ESP) 



Test Purpose 


Identifier: 


TP SEC 3030 01 


Summary: 


Test reaction on ESP dummy packet 


References: 


RQ 002 3030 


IUT Role 


Ipsec host | Test Case: | TC SEC 3030 01 


with { IUT and destination_node established in an ESP_Security_Association 


ensure that 


{ when { IUT receives IPv6Packet 


containing (ESP_Header 


containing next_header_f ield set to 59) } 


then { IUT discards IPv6Packet } 

} 



Test Purpose 


Identifier: 


TP SEC 3059 01 


Summary: 


Test reaction on IPv6 packets with ESP header when no SA exists 


References: 


RQ 002 3059 


IUT Role 


Ipsec host | Test Case: | TC SEC 3059 01 


with { IUT and destination_node established in an ESP_Security_Association 


s 
ensure that 


{ when { IUT receives IPv6Packet 


containing ESP_Header 


and containing (Fragment_Header 


containing offset not set to 0) } 


then { IUT discards IPv6Packet } 

} 



Test Purpose 


Identifier: 


TP SEC 3061 01 


Summary: 


Test reaction on IPv6 packets with ESP header when no SA exists 


References: 


RQ 002 3061, RQ 002 3091 


IUT Role 


Ipsec host | Test Case: | TC SEC 3061 01 


with { IUT 'has not established ESP Security Association with destination Node' 

} 
ensure that 

{ when { IUT receives IPv6Packet 

containing ESP_Header } 
then { IUT discards IPv6Packet } 
} 
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Test Purpose 


Identifier: 


TP SEC 3068 01 


Summary: 


Test reaction on IPv6 packets with ESP header with correct ICV value 


References: 


RQ 002 3068, RQ 002 3072 


IUT Role 


Ipsec host | Test Case: | TC SEC 3068 01 


with { 


IUT and destination_node established in an ESP_Security_Association 




and IUT 'having enabled anti-replay service' 


i 
ensure 


that 


{ 


when { IUT receives IPv6Packet 




containing (ESP_Header 




containing sequence_number 




set to sequence_number from received IPv6Packet) } 


} 


then { IUT discards IPv6Packet } 



Test Purpose 


Identifier: 


TP SEC 3077 01 


Summary: 


Test reaction on IPv6 packets with ESP header with correct ICV value 


References: 


RQ 002 3077 


IUT Role 


Ipsec host | Test Case: | TC SEC 3077 01 


with { 


IUT and destination_node established in an ESP_Security_Association 




and ESP_Security_Association configured to use 


} 
ensure 


combined_conf identiality_and_integrity_algorithms 


that 


{ 


when { IUT receives IPv6Packet 




containing (ESP_Header 




containing Integrity_Check_Value 




calculated from Security_Association_data 




and packet_contents) } 


} 


then { IUT accepts IPv6Packet } 



Test Purpose 


Identifier: 


TP SEC 3078 01 


Summary: 


Test reaction on IPv6 packets with ESP header with incorrect ICV value 


References: 


RQ 002 3078, RQ 002 3077 


IUT Role 


Ipsec host | Test Case: | TC SEC 3078 01 


with { IUT and destination_node established in an ESP_Security_Association 


and ESP_Security_Association configured to use 


combined_conf identiality_and_integrity_algorithms 


ensure that 


{ when { IUT receives IPv6Packet 


containing (ESP_Header 


containing Integrity_Check_Value 


not calculated from Security_Association_data 


and packet_contents) } 


then { IUT discards IPv6Packet } 

} 
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Test Purpose 


Identifier: 


TP SEC 3080 01 


Summary: 


Test reaction on IPv6 packets with ESP header with correct ICV value 


References: 


RQ 002 3080 


IUT Role 


Ipsec host | Test Case: | TC SEC 3080 01 


with { IUT and destination_node established in an ESP_Security_Association 


and ESP_Security_Association configured to use 


separate_conf identiality_and_integrity_algorithms 


ensure that 


{ when { IUT receives IPv6Packet 


containing (ESP_Header 


containing Integrity_Check_Value 


calculated from Security_Association_data 


and packet_contents) } 


then { IUT accepts IPv6Packet } 

} 



Test Purpose 


Identifier: 


TP SEC 3083 01 


Summary: 


Test reaction on IPv6 packets with ESP header with incorrect ICV value 


References: 


RQ 002 3083, RQ 002 3080 


IUT Role 


Ipsec host | Test Case: | TC SEC 3083 01 


with { IUT and destination_node established in an ESP_Security_Association 
and ESP_Security_Association configured to use 

separate_conf identiality_and_integrity_algorithms 
} 
ensure that 

{ when { IUT receives IPv6Packet 

containing (ESP_Header 

containing Integrity_Check_Value 
not calculated from Security_Association_data 
and packet_contents) } 
then { IUT discards IPv6Packet } 
} 
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Test Purpose 



Identifier: 



TP SEC 3102 01 



Test of generating first unicast IPv6 packets with ESP Header, transport mode 



Summary: 



References: 



RQ_002_3102, RQ_002_3004 
RQ 002 3037, RQ 002 3113 



RQ_002_3005, RQ_002_3009, RQ_002_3012, RQ_002_3027, 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 3102 01 



with { IUT and destination_node established in an ESP_Security_Association 
and ESP_Security_Association configured to use 

separate_conf identiality_and_integrity_algorithms 



} 
ensure that 
{ when 

then 



IUT 



IUT 



is requested to send first IPv6Packet in transport_mode 
containing ESP_Header } 

sends IPv6Packet in transport. 



containing 

set to 

and containing 



_mode 
next_header_f ield of previous_header 
50 

(ESP_Header 
containing Security_Parameters_Index 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequence_number set to 1 
and containing necessary padding_bytes 
and containing pad_length 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary padding_bits) } 



Test Purpose 



Identifier: 



TP SEC 3102 02 



Summary: 



Test of generating subsequent unicast IPv6 packets with ESP Header, transport mode 



References: 



RQ_002_3102, RQ_002_3004, 
RQ_002_3037, RQ_002_3112 



RQ_002_3005, RQ_002_3006, RQ_002_3009, RQ_002_3027, 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 3102 02 



with { IUT and destination_node established in an ESP_Security_Association 
and ESP_Security_Association configured to use 

separate_conf identiality_and_integrity_algorithms 



} 
ensure that 
{ when 

then 



set to 
and containing 



IUT is requested to send subsequent IPv6Packet in transport_mode 

containing ESP_Header } 
IUT sends IPv6Packet in transport_mode 

containing next_header_f ield of previous_header 
50 

(ESP_Header 

containing Security_Parameters_Index 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequence_number set to 

(sequence_number of previous IPv6Packet) plus 1 
and containing necessary padding_bytes 
and containing pad_length 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary padding_bits) } 
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Test Purpose 


Identifier: 


TP SEC 3103 01 


Summary: 


Test of generating first unicast IPv6 packets with ESP Header, tunnel mode 


References: 


RQ 002 3103, RQ 002 3004, RQ 002 3005, RQ 002 3009, RQ 002 3012, RQ 002 3027, 




RQ 002 3037, RQ 002 3092, RQ 002 3113 


IUT Role 


Ipsec host | Test Case: | TC SEC 3103 01 


with { IUT and destination_node established in an ESP_Security_Association 


and ESP_Security_Association configured to use 


separate_conf identiality_and_integrity_algorithms 
} 
ensure that 


{ when { IUT is requested to send first IPv6Packet in tunnel_mode 


containing ESP_Header } 


then { IUT sends IPv6Packet in tunnel_mode 


containing next_header_f ield of previous_header 


set to 5 


and containing (ESP_Header 


containing Security_Parameters_Index 


set to Security_Parameters_Index 


received from destination_node 


during SA_establishment 


and containing sequence_number set to 1 


and containing necessary padding_bytes 


and containing pad_length 


set to number of padding_bytes 


and containing correctly calculated 


Integrity_Check_Value 


including necessary padding_bits) } 

} 



Test Purpose 



Identifier: 



TP SEC 3103 02 



Summary: 



Test of generating subsequent unicast IPv6 packets with ESP Header, tunnel mode 



References: 



RQ_002_3103, RQ_002_3004, RQ_002_3005, RQ_002_3006, RQ_002_3009, RQ_002_3027, 
RQ_002_3037, RQ_002_3092, RQ_002_3112 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 3103 02 



with { IUT and destination_node established in an ESP_Security_Association 
and ESP_Security_Association configured to use 

separate_conf identiality_and_integrity_algorithms 



} 
ensure that 
{ when 

then 



set to 
and containing 



IUT is requested to send subsequent IPv6Packet in tunnel_mode 

containing ESP_Header } 
IUT sends IPv6Packet in tunnel_mode 

containing next_header_f ield of previous_header 
50 

(ESP_Header 

containing Security_Parameters_Index 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequence_number set to 

(sequence_number of previous IPv6Packet) plus 1 
and containing necessary padding_bytes 
and containing pad_length 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary padding_bits) } 
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Test Purpose 



Identifier: 



TP SEC 3107 01 



Test of generating first unicast IPv6 packets with ESP Header, transport mode 



Summary: 



References: 



RQ_002_3102, RQ_002_3004, RQ_002_3005, 
RQ 002 3113 



RQ_002_3009, RQ_002_3012, RQ_002_3027, 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 3107 01 



with { IUT and destination_node established in an ESP_Security_Association 
and ESP_Security_Association configured to use 

combined_conf identiality_and_integrity_algorithms 



} 
ensure that 
{ when 

then 



IUT 



IUT 



is requested to send first IPv6Packet in transport_mode 
containing ESP_Header } 

sends IPv6Packet in transport. 



containing 

set to 

and containing 



_mode 
next_header_f ield of previous_header 
50 

(ESP_Header 
containing Security_Parameters_Index 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequence_number set to 1 
and containing necessary padding_bytes 
and containing pad_length 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary padding_bits) } 



Test Purpose 



Identifier: 



TP SEC 3107 02 



Summary: 



Test of generating subsequent unicast IPv6 packets with ESP Header, transport mode 



References: 



RQ_002_3107, RQ_002_3004, RQ_002_3005, 
RQ 002 3112 



RQ_002_3006, RQ_002_3009, RQ_002_3027, 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 3107 02 



with { IUT and destination_node established in an ESP_Security_Association 
and ESP_Security_Association configured to use 

combined_conf identiality_and_integrity_algorithms 



} 
ensure that 
{ when 

then 



set to 
and containing 



IUT is requested to send subsequent IPv6Packet in transport_mode 

containing ESP_Header } 
IUT sends IPv6Packet in transport_mode 

containing next_header_f ield of previous_header 
50 

(ESP_Header 

containing Security_Parameters_Index 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequence_number set to 

(sequence_number of previous IPv6Packet) plus 1 
and containing necessary padding_bytes 
and containing pad_length 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary padding_bits) } 
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Test Purpose 


Identifier: 


TP SEC 3108 01 


Summary: 


Test of generating first unicast IPv6 packets with ESP Header, tunnel mode 


References: 


RQ 002 3108, RQ 002 3004, RQ 002 3005, RQ 002 3009, RQ 002 3012, RQ 002 3027, 




RQ 002 3092, RQ 002 3113 


IUT Role 


Ipsec host | Test Case: | TC SEC 3108 01 


with { IUT and destination_node established in an ESP_Security_Association 


and ESP_Security_Association configured to use 


combined_conf identiality_and_integrity_algorithms 
} 
ensure that 


{ when { IUT is requested to send first IPv6Packet in tunnel_mode 


containing ESP_Header } 


then { IUT sends IPv6Packet in tunnel_mode 


containing next_header_f ield of previous_header 


set to 5 


and containing (ESP_Header 


containing Security_Parameters_Index 


set to Security_Parameters_Index 


received from destination_node 


during SA_establishment 


and containing sequence_number set to 1 


and containing necessary padding_bytes 


and containing pad_length 


set to number of padding_bytes 


and containing correctly calculated 


Integrity_Check_Value 


including necessary padding_bits) } 

} 



Test Purpose 



Identifier: 



TP SEC 3108 02 



Summary: 



Test of generating subsequent unicast IPv6 packets with ESP Header, tunnel mode 



References: 



RQ_002_3108, RQ_002_3004, 
RQ_002_3092, RQ_002_3112 



RQ_002_3005, RQ_002_3006, RQ_002_3009, RQ_002_3027, 



IUT Role 



lpsec_host 



Test Case: 



TC SEC 3108 02 



with { IUT and destination_node established in an ESP_Security_Association 
and ESP_Security_Association configured to use 

combined_conf identiality_and_integrity_algorithms 



} 
ensure that 
{ when 

then 



set to 
and containing 



IUT is requested to send subsequent IPv6Packet in tunnel_mode 

containing ESP_Header } 
IUT sends IPv6Packet in tunnel_mode 

containing next_header_f ield of previous_header 
50 

(ESP_Header 

containing Security_Parameters_Index 
set to Security_Parameters_Index 

received from destination_node 
during SA_establishment 
and containing sequence_number set to 

(sequence_number of previous IPv6Packet) plus 1 
and containing necessary padding_bytes 
and containing pad_length 

set to number of padding_bytes 
and containing correctly calculated 
Integrity_Check_Value 
including necessary padding_bits) } 
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A.3 Key Exchange (IKEv2) Protocol 
A.3.1 Exchange Message Structures 



Test Purpose 


Identifier: 


TP SEC 6400 01 


Summary: 


Test of generating IKE SA INIT request 


References: 


RQ 002 6400, RQ 002 6034, RQ 002 6077, RQ 002 6084, 


RQ 002 6085, RQ 002 


6086, 




RQ 002 6128, RQ 002 6129, RQ 002 6232, RQ 002 6236, 


RQ 002 6240, RQ 002 


6250, 




RQ 002 6263, RQ 002 6304, RQ 002 6344 






IUT Role 


Host 


Test Case: 


TC SEC 6400 01 




with { IUT ready to establish a Security_Association using 


IKEv2 




i 
ensure that 








{ when { IUT 


is requested to send IKE_SA_INIT_request 


} 




then { IUT 


sends IKE_SA_INIT_request 
containing (IKE_Header 








containing IKE_SA_Initiators_ 


_SPI not set to 






and containing IKE_SA_Responders_ 


_SPI set to 






and containing Ma jor_Version set 


to 2 






and containing Exchange_Type set 


to 34 IKE_SA_INIT 






and containing Flags set to 00010000 'B' 






and containing Message_ID set to 


0) 




and 


containing (Security_Association_payload 








containing at least 1 Proposal 






containing at least 1 Transform) 




and 


containing Key_Exchange_payload 






and 


containing (Nonce_payload 

containing Nonce_Data 

of at least 12 8 bits 






} 


and 'at least half the prf key length') 


} 
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Test Purpose 


Identifier: 


TP_SEC_6401_01 


Summary: 


Test reaction on IKE SA I NIT request 


References: 


RQ 002 6401, RQ 002 6036, RQ 002 6232, RQ 002 6233, RQ 002 6236, RQ 002 6240, 




RQ 002 6250, RQ 002 6263, RQ 002 


_6304, RQ_002_6344 


IUT Role 


Host | Test Case: | TC SEC 6401 01 


with { IUT ready to establish Security_Association using IKEv2 


ensure that 




{ when { IUT receives IKE_SA_INIT_request } 


then { IUT sends IKE_SA_INIT_response 


containing (IKE_Header 




containing 


IKE_SA_Initiators_SPI 


set to 


IKE_SA_Initiators_SPI 




received in IKE_SA_INIT_request 


and containing 


IKE_SA_Responders_SPI not set to 


and containing 


Ma jor_Version set to 2 


and containing 


Exchange_Type set to 34 IKE_SA_INIT 


and containing 


Flags set to 00000100'B' 


and containing 


Message_ID 


set to 


Message_ID 




received in IKE_SA_INIT_request ) 


and containing (Security_Association_payload 


containing 


1 proposal 




received in IKE_SA_INIT_request ) 


and containing Key_Exchange_payload 


and containing Nonce_payload } 

} 
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Test Purpose 



Identifier: 



TP SEC 6403 01 



Summary: 



Test of generating IKE_AUTH request 



References: 



RQ_002_6403, RQ_002_6034, RQ_002_6084, RQ_002_6085, RQ_002_6086, RQ_002_6232, 
RQ_002_6233, RQ_002_6236, RQ_002_6240, RQ_002_6250, RQ_002_6263, RQ_002_6310, 
RQ_002_6430, RQ_002_6431 



IUT Role 



Host Test Case: TC SEC 6403 01 



with { IUT having sent IKE_SA_INIT_request 

and IUT having received IKE_SA_INIT_response 
} 
ensure that 

{ when { IUT is requested to send IKE_AUTH_request } 
then { IUT sends IKE_AUTH_request 
containing (IKE_Header 

containing IKE_SA_Initiators_SPI 
set to IKE_SA_Initiators_SPI 

received in IKE_SA_INIT_request 
and containing IKE_SA_Responders_SPI 
set to IKE_SA_Responders_SPI 

received in IKE_SA_INIT_response 
and containing Ma jor_Version set to 2 
and containing Exchange_Type set to 35 IKE_AUTH 
and containing Flags set to 00010000 'B' 
and containing Message_ID set to 1) 
and containing (Encrypted_payload 

containing I dent if ication_payload_initiator 
'Next Payload field of previous 
payload is set to 35' 
and containing Authentication_payload 
and containing (Security_Association_payload 

containing at least 1 proposal 

containing at least 1 transform) 
and containing Traf f ic_Selector_payload_initiator 
'Next Payload field of previous 
payload is set to 44' 
and containing Traf f ic_Selector_payload_responder 
'Next Payload field of previous 
payload is set to 45') } 
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Test Purpose 


Identifier: 


TP_SEC_6405_01 


Summary: 


Test reaction on IKE AUTH request 


References: 


RQ 002 6405, RQ 002 6036, RQ 002 6232, RQ 002 6233, RQ 002 6236, RQ 002 6240, 




RQ_002_6250, RQ_002_6263, RQ_002 


_6312, RQ_002_6430, RQ_002_6431 


IUT Role 


Host | Test Case: TC_SEC_6405_01 


with { IU1 


having received IKE_SA_INIT_request 


and IU1 

i 


having sent IKE_SA_INIT_response 


t 
ensure that 






{ when { 


IUT receives IKE_AUTH_request } 


then { 


IUT sends IKE_AUTH_response 




containing (IKE_Header 






containing 


IKE_SA_Initiators_SPI 




set to 


IKE_SA_Initiators_SPI 

received in IKE_SA_INIT_request 




and containing 


IKE_SA_Responders_SPI 




set to 


IKE_SA_Responders_SPI 

sent in IKE_SA_INIT_response 




and containing 


Ma jor_Version set to 2 




and containing 


Exchange_Type set to 35 IKE_AUTH 




and containing 


Flags set to 00000100'B' 




and containing 


Message_ID 




set to 


Message_ID 

received in IKE_AUTH_request ) 




and containing (Encrypted_payload 




containing 


I dent if ication_payload_responder 

Next Payload field of previous payload 

is set to 36' 




and containing 


Authent i cat ion_pay load 




and containing 


(Security_Association_payload 
containing 1 proposal 

received in IKE_AUTH_request ) 




and containing 


Traf f ic_Selector_payload_initiator 
Next Payload field of previous payload 
is set to 44 ' 


} 


and containing 


Traf f ic_Selector_payload_responder 
Next Payload field of previous payload 
is set to 45' } 
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Test Purpose 



Identifier: 



Summary: 



TP SEC 6407 01 



Test of generating CREATE_CHILD_SA request 



References: 



RQ_002_6407, RQ_002_6035, RQ_002_6084, RQ_002_6085, RQ_002_6086, RQ_002_6128, 
RQ_002_6129, RQ_002_6232, RQ_002_6233, RQ_002_6236, RQ_002_6240, RQ_002_6250, 
RQ_002_6263, RQ_002_6344 



IUT Role 



Host 



Test Case: 



TC SEC 6407 01 



with { IUT having completed IKE_SA_INIT exchange 
and IUT having completed IKE_AUTH exchange 



ensure that 

{ when 

then 



IUT is requested to send CREATE_CHILD_SA_request } 
IUT sends CREATE_CHILD_SA_request 
containing (IKE_Header 

containing IKE_SA_Initiators_SPI 
set to IKE_SA_Initiators_SPI 

sent or received in the IKE_SA_INIT_request 
and containing IKE_SA_Responders_SPI 
set to IKE_SA_Responders_SPI 

sent or received in the IKE_SA_INIT_response 
and containing Ma jor_Version set to 2 

and containing Exchange_Type set to 3 6 CREATE_CHILD_SA 
and containing Flags set to 00010000 'B' 
and containing Message_ID 

set to previous sent Message_ID plus 1) 
and containing (Encrypted_payload 

containing (Security_Association_payload 

containing at least 1 proposal 

containing at least 1 transform) 
and containing (Nonce_payload 

containing Nonce_Data 

of at least 12 8 bits 
and 'at least half the 
prf key length') 
and containing Traf f ic_Selector_payload_initiator 
'Next Payload field of previous 
payload is set to 44' 
and containing Traf f ic_Selector_payload_responder 
'Next Payload field of previous 
payload is set to 45') } 
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Test Purpose 



Identifier: 



TP SEC 6409 01 



Summary: 



Test reaction on CREATE_CHILD_SA request 



References: 



RQ_002_6409, RQ_002_6036, RQ_002_6232, RQ_002_6233, RQ_002_6236, RQ_002_6240, 
RQ 002 6250, RQ 002 6263, RQ 002 6344 



IUT Role 



Host Test Case: TC SEC 6409 01 



with { IUT having completed IKE_SA_INIT exchange 
and IUT having completed IKE_AUTH exchange 
} 
ensure that 

{ when { IUT receives CREATE_CHILD_SA_request } 
then { IUT sends CREATE_CHILD_SA_response 
containing (IKE_Header 

containing IKE_SA_Initiators_SPI 
set to IKE_SA_Initiators_SPI 
sent or received in the IKE_SA_INIT_request 
and containing IKE_SA_Responders_SPI 
set to IKE_SA_Responders_SPI 
sent or received in the IKE_SA_INIT_request 
and containing Ma jor_Version set to 2 

and containing Exchange_Type set to 3 6 CREATE_CHILD_SA 
and containing Flags set to 00000100 'B' 
and containing Message_ID 
set to Message_ID 

received in CREATE_CHILD_SA_request ) 
and containing (Encrypted_payload 

containing (Security_Association_payload 
containing 1 proposal 

received in CREATE_CHILD_SA_request ) 
and containing Nonce_payload 

and containing Traf f ic_Selector_payload_initiator 
'Next Payload field of previous 
payload is set to 44' 
and containing Traf f ic_Selector_payload_responder 
'Next Payload field of previous 
payload is set to 45')} 
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Test Purpose 


Identifier: 


TP SEC 6411 01 


Summary: 


Test of generating INFORMATIONAL request 


References: 


RQ 002 6411, RQ 002 6035, RQ 002 6232, RQ 002 6233, RQ 002 6236, RQ 002 6240, 




RQ 002 6250 




IUT Role 


Host 


| Test Case: | TC SEC 641 1 01 


with { IUT having established 


an IKE_Security_Association 


ensure that 




{ when { IUT is requested to send INFORMATIONAL_request } 


then { IUT sends INFORMATIONAL_request 


containing 


(IKE_Header 




containing IKE_SA_Initiators_SPI 




set to IKE_SA_Initiators_SPI 




sent or received in the IKE_SA_INIT_request 


and 


containing IKE_SA_Responders_SPI 




set to IKE_SA_Responders_SPI 




sent or received in the IKE_SA_INIT_request 


and 


containing Ma jor_Version set to 2 


and 


containing Exchange_Type set to 37 INFORMATIONAL 


and 


containing Flags set to 00010000 'B' 


and 


containing Message_ID 




set to previous sent Message_ID plus 1) 


and containing 


( Encrypt ed_pay load 




containing or more Notify_payload 


and 


containing or more Delete_payload 


and 

} 


containing or more Conf iguration_payload) } 



Test Purpose 


Identifier: 


TP SEC 6412 01 


Summary: 


Test reaction on INFORMATIONAL request 


References: 


RQ 002 6412, RQ 002 6036, RQ 002 6232, RQ 002 6233, RQ 002 6236, RQ 002 6240, 




RQ 002 6250 




IUT Role 


Host 


| Test Case: | TC SEC 6412 01 


with { IUT having established 


an IKE_Security_Association 


i 
ensure that 




{ when { IUT receives INFORMATIONAL_request } 


then { IUT sends INFORMATIONAL_response 


containing 


(IKE_Header 




containing IKE_SA_Initiators_SPI 




set to IKE_SA_Initiators_SPI 




sent or received in the IKE_SA_INIT_request 


and 


containing IKE_SA_Responders_SPI 




set to IKE_SA_Responders_SPI 




sent or received in the IKE_SA_INIT_request 


and 


containing Ma jor_Version set to 2 


and 


containing Exchange_Type set to 37 INFORMATIONAL 


and 


containing Flags set to 00000100 'B' 


and 


containing Message_ID 




set to Message_ID 




received in INFORMATIONAL_request ) 


and containing 


( Encrypt ed_pay load 




containing or more Notify_payload 


and 


containing or more Delete_payload 


and 

} 


containing or more Conf iguration_payload) } 
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A.3.2 IKE Header and Payload Formats 



A.3.2.1 Configuration payload 



Test Purpose 



Identifier: 



TP SEC 6468 01 



Summary: 



Test reaction on INFORMATIONAL_request with unsupported Configuration payload 



References: 



RQ 002 6468 



IUT Role 



Host 



Test Case: 



TC SEC 6468 01 



with { IUT having established an IKE_Security_Association 



ensure that 
{ when 



then 



IUT receives INFORMATIONAL 

containing (Configurat 

containing 

set to 

and containing 

IUT sends INFORMATIONAL_re 

containing (Configurat 

containing 

set to 

and not containing 

or not containing (Configurat 



_request 
ion_payload 
Conf iguration_Type 

1 CFG_REQUEST 
any unsupported 
Conf igur at ion_At tribute) 

sponse 
ion_payload 
Conf igur at ion_Type 

2 CFG_REPLY 
any unsupported 
Conf igur at ion_At tribute) 

ion_payload) } 



A.3.2.2 IKE Error Types 



Test Purpose 


Identifier: 


TP SEC 6365 01 


Summary: 


Test reaction on INFORMATIONAL request containing incorrect value 


References: 


RQ 002 6365, RQ 002 6368 


IUT Role 


Host | Test Case: | TC SEC 6365 01 


with { IUT having established an IKE_Security_Association 


t 
ensure that 


{ when { IUT receives INFORMATIONAL_request 


containing 'syntactically incorrect value' } 


then { IUT sends INFORMATIONAL_response 


containing (Encrypted_payload 


containing Notify_payload 


containing Notify_Message_Type 


set to 7 INVALID_SYNTAX) } 

} 
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Test Purpose 



Identifier: 



TP SEC 6375 01 



Summary: 



Test reaction on CREATE_CHILD_SA request containing Traffic Selectors indicating address range 



References: 



RQ 002 6375 



IUT Role 



Host 



Test Case: 



TC SEC 6375 01 



with { IUT having established an IKE_Security_Association 
and IUT 'only supporting Traffic Selectors specifying a 
single pair of addresses' 



ensure that 
{ when 



then 



IUT receives CREATE_CHILD_SA_request 

containing (Traf f ic_Selector_payload 

containing Traf f ic_Selector 

indicating 'address range') } 
IUT sends CREATE_CHILD_SA_response 
containing (Notify_payload 

containing Notify_Message_Type 

set to 34 SINGLE_PAIR_REQUIRED) 



Test Purpose 



Identifier: 



TP SEC 6376 01 



Summary: 



Test reaction on CREATE_CHILD_SA request when no more CHILD_SA can be established 



References: 



RQ 002 6376 



IUT Role 



Host 



Test Case: 



TC SEC 6376 01 



with { IUT having established an IKE_Security_Association 
and IUT 'unable to establish any further CHILD_SA' 



ensure that 

{ when 

then 



IUT receives CREATE_CHILD_SA_request } 
IUT sends CREATE_CHILD_SA_response 
containing (Notify_payload 

containing Notify_Message_Type 

set to 35 NO_ADDITIONAL_SAS) } 



Test Purpose 


Identifier: 


TP SEC 6379 01 


Summary: 


Test reaction on CREATE CHILD SA request containing unacceptable Traffic Selectors 


References: 


RQ 002 6379 


IUT Role 


Host 


| Test Case: | TC SEC 6379 01 


with { IUT having 


established an IKE_Security_Association 


ensure that 




{ when { IUT 


receives CREATE_CHILD_SA_request 




containing (Traf fic_Selector_pay load 




containing 1 or more 




unacceptable Traf f ic_Selector) } 


then { IUT 


sends CREATE_CHILD_SA_response 




containing (Notify_payload 




containing Notify_Message_Type 


} 


set to 38 TS_UNACCEPTABLE) } 
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Test Purpose 


Identifier: 


TP SEC 6393 01 


Summary: 


Test reaction on CREATE CHILD SA request containing transport mode request 


References: 


RQ 002 6393 


IUT Role 


Host | Test Case: | TC SEC 6393 01 


with { IUT having established an IKE_Security_Association 


and IUT 'ready to accept transport mode request' 


ensure that 


{ when { IUT receives CREATE_CHILD_SA_request 


containing (Notify_payload 


containing Notify_Message_Type 


set to 16391 USE_TRANSPORT_MODE) } 


then { IUT sends CREATE_CHILD_SA_response 


containing (Notify_payload 


containing Notify_Message_Type 


set to 16391 USE_TRANSPORT_MODE) } 
} 



Test Purpose 


Identifier: 


TP SEC 6394 01 


Summary: 


Test reaction on CREATE CHILD SA request containing transport mode request 


References: 


RQ 002 6394 


IUT Role 


Host | Test Case: | TC SEC 6394 01 


with { IUT having established an IKE_Security_Association 


and IUT 'not ready to accept transport mode request' 


ensure that 


{ when { IUT receives CREATE_CHILD_SA_request 


containing (Notify_payload 


containing Notify_Message_Type 


set to 16391 USE_TRANSPORT_MODE) } 


then { IUT sends CREATE_CHILD_SA_response 


not containing (Notify_payload 


containing Notify_Message_Type 


set to 16391 USE_TRANSPORT_MODE) } 
} 



A.3.3 IKE Informational Exchanges 



Test Purpose 


Identifier: 


TP SEC 6007 01 


Summary: 


Test reaction on INFORMATIONAL request without payload 


References: 


RQ 002 6007, RQ 002 6012 


IUT Role 


Host Test Case: 


| TC SEC 6007 01 


with { IUT having established an IKE_Security_Association 

} 
ensure that 

{ when { IUT receives INFORMATIONAL_request 
not containing a payload } 

then { IUT sends INFORMATIONAL_response } 

} 
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Test Purpose 



Identifier: 



TP SEC 6014 01 



Test of generating INFORMATIONAL_request with Delete payload for IKE_SA 



Summary: 



References: 



RQ_002_6014, RQ_002_6016, RQ_002_6062, RQ_002_6064, RQ_002_6415,RQ_002_6416, 
RQ 002 6417 



IUT Role 



Host 



Test Case: 



TC SEC 6014 01 



with 



IUT having established an IKE_Security_Association 



ensure that 
{ when 

then 



IUT is requested to send INFORMATIONAL_request 

containing Delete_payload } 
IUT sends INFORMATIONAL_request 

containing IKE_Header 
and containing (Encrypted_payload 

containing Delete_payload 

containing Protocol_ID indicating 1 
and containing SPI_Size indicating 
and not containing SPI) } 



Test Purpose 



Identifier: 



Summary: 



TP SEC 6014 02 



Test of generating INFORMATIONAL_request with Delete payload for CHILD_SA 



References: 



RQ_002_6014, RQ_002_6016, RQ_002_6060, RQ_002_6061, RQ_002_6415,RQ_002_6416, 
RQ 002 6417 



IUT Role 



Host 



Test Case: 



TC SEC 6014 02 



with { IUT having established an IKE_Security_Association 
and IUT having established at least 1 CHILD_SA 



ensure that 
{ when 

then 



IUT is requested to send INFORMATIONAL_request 

containing Delete_payload } 
IUT sends INFORMATIONAL_request 

containing IKE_Header 
and containing (Encrypted_payload 

containing Delete_payload 

containing Protocol_ID 



indicating 2 or 



and containing SPI_Size indicating 4 

and containing SPI)} } 
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A.3.4 IKE Protocol 



A.3.4.1 Authentication 



A.3.4.1.1 



Extensible Authentication Methods 



Test Purpose 


Identifier: 


TP SEC 6151 01 


Summary: 


Test of generating IKE AUTH request for extensible authentication methods, message 3 


References: 


RQ 002 6151 


IUT Role 


Host | Test Case: | TC SEC 6151 01 


with { ordered ( IUT having sent IKE_SA_INIT_request 

and IUT having received IKE_SA_INIT_response ) 

and IUT configured 'to use extensible authentication methods' 


ensure that 

{ when { IUT is requested to send IKE_AUTH_request } 
then { IUT sends IKE_AUTH_request 

not containing Authentication_payload } 

} 



Test Purpose 



Identifier: 



TP SEC 6152 01 



Summary: 



Test reaction on IKE_AUTH request for extensible authentication methods, message 3 



References: 



RQ_002_6152, RQ_002_6153 



IUT Role 



Host 



Test Case: 



TC SEC 6152 01 



with { ordered ( IUT having received IKE_SA_INIT_request 

and IUT having sent IKE_SA_INIT_response ) 
and IUT configured 'to support extensible authentication methods' 



ensure that 
{ when 

then 



IUT receives IKE_AUTH_request 

not containing Authentication_payload } 

IUT sends IKE_AUTH_response 

containing Extensible_Authentication_Protocol_payload 

and containing Identif ication_payload 

and containing Authentication_payload 
and not containing Security_Association_payload 
and not containing any Traf f ic_Selector_payload } 



Test Purpose 



Identifier: 



TP SEC 6153 01 



Summary: 



Test of generating IKE_AUTH request for extensible authentication methods, message 5 



References: 



RQ 002 6153 



IUT Role 



Host 



Test Case: 



TC SEC 6153 01 



'message 1 ' 

'message 2 ' 

'message 3 ' 

'message 4 ' ) 



with { ordered ( IUT having sent IKE_SA_INIT_request 

and IUT having received IKE_SA_INIT_response 

and IUT having sent IKE_AUTH_request 

and IUT having received IKE_AUTH_response 

and IUT configured 'to use extensible authentication' 



ensure that 

{ when 

then 

} 



{ IUT is requested to send IKE_AUTH_request } 

{ IUT sends IKE_AUTH_request 

containing Extensible_Authentication_Protocol_payload } 
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Test Purpose 



Identifier: 



TP SEC 6161 01 



Summary: 



Test reaction on IKE_AUTH request for extensible authentication methods, message 5 



References: 



RQ 002 6161 



IUT Role 



Host 



Test Case: 



TC SEC 6161 01 



with { ordered ( 



IUT having received IKE_SA_INIT_request 'message 1' 

and IUT having sent IKE_SA_INIT_response 'message 2' 

and IUT having received IKE_AUTH_request 'message 3' 

and IUT having sent IKE_AUTH_response 'message 4' 

and IUT having completed 'authentication method successfully' 



ensure that 
{ when 

then 



IUT receives IKE_AUTH_request 

containing Extensible_Authentication_Protocol_payload ] 
IUT sends IKE_AUTH_response 

containing (Extensible_Authentication_Protocol_payload 
containing Code set to 3 'success' } 



Test Purpose 


Identifier: 


TP SEC 6162 01 


Summary: 


Test reaction on IKE AUTH request for extensible authentication methods, message 5 


References: 


RQ 002 6162, RQ 002 6374 


IUT Role 


Host | Test Case: | TC SEC 6162 01 


with { ordered ( IUT having received IKE_SA_INIT_request 'message 


1' 


and IUT having sent IKE_SA_INIT_response 'message 


2' 


and IUT having received IKE_AUTH_request 'message 


3' 


and IUT sent IKE_AUTH_response 'message 


4' ) 


and IUT having completed 'authentication method unsuccessfully' 




t 
ensure that 




{ when { IUT receives IKE_AUTH_request 




containing Extensible_Authentication_Protocol_payload 




then { IUT sends IKE_AUTH_response 




containing (Notify_payload 




containing Notify_Message_Type 




set to 24 AUTHENTICATION_FAILED) } 

} 





Test Purpose 


Identifier: 


TP SEC 6164 


01 








Summary: 


Test of generating IKE AUTH request for extensible authentication methods 


message 7 




References: 


RQ 002 6164 


IUT Role 


Host 


| Test Case: | TC 


SEC 6164 01 




with { 


ordered ( IUT 


having sent IKE_SA_INIT_request 




'message 


1' 




and IUT 


having received IKE_SA_INIT_response 




'message 


2' 




and IUT 


having sent IKE_AUTH_request 




'message 


3' 




and IUT 


having received IKE_AUTH response 




'message 


4 ' 




and IUT 


having sent IKE_AUTH_request 




'message 


5' 




and IUT 


having received IKE_AUTH_response 




'message 


6' ) 




and IUT 'ready to 


finalize extensible authentication' 








ensure 


that 










{ 


when { IUT is requested to send IKE_AUTH_request } 










then { IUT sends 


EKE_AUTH_request 








} 


containing Authentication_payload } 
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Test Purpose 



Identifier: 



TP SEC 6164 02 



Summary: 



Test reaction on IKE_AUTH request for extensible authentication methods, message 7 



References: 



RQ 002 6164 



IUT Role 



Host 



Test Case: 



TC SEC 6164 02 



with { ordered ( 



IUT having received IKE_SA_INIT_request 'message l 1 

and IUT having sent IKE_SA_INIT_response 'message 2' 

and IUT having received IKE_AUTH_request 'message 3 ! 

and IUT having sent IKE_AUTH_response 'message 4' 

and IUT having received IKE_AUTH_request 'message 5 ! 

and IUT having sent IKE_AUTH_response 'message 6 1 
and IUT having completed 'authentication method successfully' 



ensure that 
{ when 

then 



IUT receives IKE_AUTH_request 

containing Authentication_payload } 
IUT sends IKE_AUTH_response 

containing Authent i cat ion_pay load 
and containing Security_Association_payload 
and containing Traf f ic_Selector_payload_initiator 

'Next Payload field of previous 
payload has value 44' 
and containing Traf f ic_Selector_payload_responder 

'Next Payload field of previous 
payload has value 45' } 



A.3.4.2 Error Handling 



Test Purpose 


Identifier: 


TP SEC 6186 01 


Summary: 


Test reaction on badly formatted IKE SA INIT request 


References: 


RQ 002 6186 


IUT Role 


Host | Test Case: | TC SEC 6186 01 


with { IUT ready to receive IKE_SA_INIT_request 
and IUT ready to send IKE_SA_INIT response 
} 
ensure that 

{ when { IUT receives badly formatted IKE_SA_INIT_request } 
then { IUT sends IKE_SA_INIT_response 
containing Notify_payload } 
} 



Test Purpose 


Identifier: 


TP SEC 6186 02 


Summary: 


Test reaction on badly formatted IKE AUTH request 


References: 


RQ 002 6186 


IUT Role 


Host | Test Case: | TC SEC 6186 02 


with { ordered ( IUT having received IKE_SA_INIT_request 

and IUT having sent IKE_SA_INIT_response 

} 
ensure that 

{ when { IUT receives badly formatted IKE_AUTH_request } 

then { IUT sends IKE_AUTH_response 

containing Notify_payload } 
} 
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Test Purpose 


Identifier: 


TP SEC 6188 01 


Summary: 


Test reaction on badly formatted IKE SA INIT response 


References: 


RQ 002 6188 


IUT Role 


Host Test Case: 


| TC SEC 6188 


01 


with { IUT having sent IKE_SA_INIT_request 

} 
ensure that 

{ when { IUT receives badly formatted IKE_SA_INIT_ 
then { IUT sends no response } 

} 


.response } 





Test Purpose 


Identifier: 


TP SEC 6188 02 


Summary: 


Test reaction on badly formatted IKE AUTH response 


References: 


RQ 002 6188 


IUT Role 


Host | Test Case: | TC SEC 6188 02 


with { ordered ( IUT having sent IKE_SA_INIT_request 


and IUT having received IKE_SA_INIT_response 


and IUT having sent IKE_AUTH_request ) 
} 
ensure that 


{ when { IUT receives badly formatted IKE_AUTH_response } 


then { IUT sends no response } 

} 



Test Purpose 


Identifier: 


TP SEC 6189 01 


Summary: 


Test reaction on request outside of known IKE SA 


References: 


RQ 002 6189, RQ 002 6190, RQ 002 6191 


IUT Role 


Host | Test Case: | TC SEC 6189 01 


with { IUT having no IKE_Security_Association 

} 
ensure that 

{ when { IUT receives CREATE_CHILD_SA_request on UDP_port_500 } 
then { IUT sends CREATE_CHILD_SA_response on UDP_port_500 
containing destination_address 
set to source_address 

received in CREATE_CHILD_SA_request 
and containing (IKE_Header 

containing IKE_SA_Initiators_SPI 
set to IKE_SA_Initiators_SPI 

received in CREATE_CHILD_SA_request 
and containing IKE_SA_Responders_SPI 
set to IKE_SA_Responders_SPI 

received in CREATE_CHILD_SA_request 
and containing Message_ID 
set to Message_ID 

received in CREATE_CHILD_SA_request ) 
and not containing an Encrypted_payload 
and containing (Notify_payload - Not encrypted 
containing Notify_Message_Type 

set to 4 INVALID_IKE_SPI ) } 
} 
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Test Purpose 


Identifier: 


TP SEC 6189 02 


Summary: 


Test reaction on request outside of known IKE SA 


References: 


RQ 002 6189, RQ 002 6190, RQ 002 


6191 


IUT Role 


Host 


| Test Case: | TC SEC 6189 02 


with { IUT having 


no IKE_Security_Association 


ensure that 






{ when { IUT 


receives INFORMATIONAL, 


.request on UDP_port_4500 } 


then { IUT 


sends INFORMATIONAL_response on UDP_port_4500 




containing destination. 


.address 




set to source_address received in INFORMATIONAL_request 


and 


containing (IKE_Header 






containing 


IKE_SA_Initiators_SPI 




set to 


IKE_SA_Initiators_SPI 

received in INFORMATIONAL_request 




and containing 


IKE_SA_Responders_SPI 




set to 


IKE_SA_Responders_SPI 
received in INFORMATIONAL_request 




and containing 


Message_ID 




set to 


Message_ID 

received in INFORMATIONAL_request 


and 


not containing an Encrypted_payload 


and 


containing (Notify_payload - Not encrypted 




containing 


Not i f y_Me s s age_Type 


} 


set to 


4 INVALID_IKE_SPI) } 



Test Purpose 


Identifier: 


TP SEC 6023 01 


Summary: 


Test reaction on cryptographically unprotected response indicating invalid SPI 


References: 


RQ 002 6023, RQ 002 6194 


IUT Role 


Host 


| Test Case: | TC SEC 6023 01 


with { IUT having 


established an IKE_Security_Association 


ensure that 




{ when { IUT 


receives CREATE_CHILD_SA_response 




containing (IKE_Header 




containing unknown IKE_SA_Initiators_SPI 




and containing unknown IKE_SA_Responders_SPI) 


and 


not containing an Encrypted_payload 


and 


containing (Notify_payload - Not encrypted 




containing Notify_Message_Type 




set to 4 INVALID_IKE_SPI) } 


then { IUT 

} 


sends no response } 
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Test Purpose 


Identifier: 


TP SEC 6023 02 


Summary: 


Test reaction on cryptographically unprotected response indicating invalid SPI 


References: 


RQ 002 6023, RQ 002 6194 


IUT Role 


Host 


| Test Case: | TC SEC 6023 02 


with { IUT having 


established an IKE_Security_Association 


s 
ensure that 






{ when { 


IUT 


receives INFORMATIONAL_response 
containing (IKE_Header 

containing unknown IKE_SA_Initiators_SPI 
and containing unknown IKE_SA_Responders_SPI) 




and 


not containing an Encrypted_payload 




and 


containing (Notify_payload - Not encrypted 
containing Notify_Message_Type 
set to 4 INVALID_IKE_SPI) } 


then { 

} 


IUT 


sends no response } 



Test Purpose 


Identifier: 


TP SEC 6023 03 


Summary: 


Test reaction on INFORMATIONAL request with Notify payload without cryptographic protection 


References: 


RQ 002 6023, RQ 002 6022 


IUT Role 


Host 


| Test Case: | TC SEC 6023 03 


with { 


IUT having 


established an IKE_Security_Association 


ensure 


that 




{ 


when { IUT 


receives INFORMATIONAL_request 




not 


containing an Encrypted_payload 

containing (Notify_payload - Not encrypted 
containing Notify_Message_Type 
set to 4 INVALID_IKE_SPI) } 


} 


then { IUT 


sends no INFORMATIONAL_response } 



A.3.4.3 General Protocol Handling 
A.3.4.3.1 Address and Port Agility 



Test Purpose 


Identifier: 


TP SEC 6206 01 


Summary: 


Test reaction on IKE SA INIT request received on UDP port other than 500 or 4500 


References: 


RQ 002 6206, RQ 002 6131, RQ 002 6212 


IUT Role 


Host | Test Case: | TC SEC 6206 01 


with { 


IUT ready to receive IKE_SA_INIT_request 




and IUT ready to send IKE_SA_INIT_response 


i 
ensure 


that 


{ 


when { IUT receives IKE_SA_INIT_request not on UDP_port_500 




and not on UDP_port_4 500 } 




then { IUT sends IKE_SA_INIT_response on 'UDP port on which request 


} 


was received' } 
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A.3.4.3.2 IP Compression (IPComp) 



Test Purpose 



Identifier: 



TP SEC 6385 01 



Summary: 



Test reaction on CREATE_CHILD_SA request with compression offer 



References: 



RQ 002 6385, RQ 002 6203 



IUT Role 



Host 



Test Case: 



TC SEC 6385 01 



with { IUT having established an IKE_Security_Association 



ensure that 
{ when 



then 



IUT receives CREATE_CHILD_SA_request 

containing IKE_Header 
and containing (Notify_payload 

containing Notify_Message_Type 

set to 16387 IPCOMP_SUPPORTED 
and containing (Notif ication_Data 

containing transf orm_ID) 
and containing additional (Notify_payload 

containing Notify_Message_Type 

set to 16387 IPCOMP_SUPPORTED 
and containing (Notif ication_Data 

containing transf orm_ID) } 
IUT sends CREATE_CHILD_SA_response 

containing IKE_Header 
and optionally (containing (Notify_payload 

containing Notify_Message_Type 

set to 16387 IPCOMP_SUPPORTED 
and containing (Notif ication_Data 

containing 1 transform_ID 
received in 

CREATE_CHILD_SA_request ) 
and not containing additional (Notify_payload 

containing Notify_Message_Type 

set to 16387 IPCOMP_SUPPORTED) 



A. 3.4.3. 3 Message Format 



Test Purpose 


Identifier: 


TP SEC 6369 01 


Summary: 


Test reaction on request with incorrect Message ID 


References: 


RQ 002 6369, RQ 002 6370 


IUT Role 


Host | Test Case: | TC SEC 6369 01 


with { IUT having established an IKE_Security_Association 

} 
ensure that 

{ when { IUT receives CREATE_CHILD_SA_request 
containing (IKE_Header 

containing Message_ID 'out of sequence') } 
then { IUT not sends CREATE_CHILD_SA_response 

and IUT optionally sends INFORMATIONAL_request 
containing (Notify_payload 

containing Notify_Message_Type 

set to 9 INVALID_MESSAGE_ID) } 
} 
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Test Purpose 


Identifier: 


TP SEC 6369 02 


Summary: 


Test reaction on request with incorrect Message ID 


References: 


RQ 002 6369, RQ 002 6370 


IUT Role 


Host | Test Case: | TC SEC 6369 02 


with { IUT having established an IKE_Security_Association 

} 
ensure that 

{ when { IUT receives INFORMATIONAL_request 
containing (IKE_Header 

containing Message_ID 'out of sequence' } 
then { IUT not sends INFORMATIONAL_response 

and IUT optionally sends INFORMATIONAL_request 
containing (Notify_payload 

containing Notify_Message_Type 

set to 9 INVALID_MESSAGE_ID) } 
} 



A. 3.4.3.4 Overlapping Requests 



Test Purpose 


Identifier: 


TP SEC 6041 01 


Summary: 


Test reaction on request when sent request is not answered 


References: 


RQ 002 6041 


IUT Role 


Host | Test Case: | TC SEC 6041 01 


with { IUT having established IKE_Security_Association 


and IUT having sent CREATE_CHILD_SA_request 


and IUT not having received CREATE_CHILD_SA_response 


i 
ensure that 


{ when { IUT receives CREATE_CHILD_SA_request } 


then { IUT sends CREATE_CHILD_SA_response } 

} 



Test Purpose 


Identifier: 


TP SEC 6041 02 


Summary: 


Test reaction on request when sent request is not answered 


References: 


RQ 002 6041 


IUT Role 


Host | Test Case: | TC SEC 6041 02 


with { IUT having established an IKE_Security_Association 
and IUT having sent INFORMATIONAL_request 
and IUT not having received INFORMATIONAL_response 
} 
ensure that 

{ when { IUT receives INFORMATIONAL_request } 
then { IUT sends INFORMATIONAL_response } 
} 
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A. 3.4.3. 5 Request Internal Address 



Test Purpose 



Identifier: 



TP SEC 6177 01 



Summary: 



Test reaction on IKE_AUTH request with Configuration Payload 



References: 



RQ 002 6177, RQ 002 6178, RQ 002 6183, RQ 002 6462, RQ 002 6465 



IUT Role 



lpsec_gateway 



Test Case: 



TC SEC 6177 01 



with { IUT configured 'to expect IKE_AUTH request to include 

the Configuration Payload' 
} 
ensure that 

{ when { IUT receives IKE_AUTH_request 

containing (Conf iguration_payload 

containing Conf iguration_Type 
set to 1 CFG_REQUEST 
and containing (Conf iguration_Attribute 

containing Attribute_Type 

set to 8 INTERNAL_IP6_ADDRESS 
then { IUT sends IKE_AUTH_response 

containing (Conf iguration_Payload 

containing Conf iguration_Type 
set to 2 CFG_REPLY 
and containing (Conf iguration_Attribute 

containing Attribute_Type 

set to 8 INTERNAL_IP6_ADDRESS 
and containing Attribute_Value 
set to IPv6_Address) 
before the Security_Association_payload } 



Test Purpose 


Identifier: 


TP SEC 6184 01 


Summary: 


Test reaction on IKE AUTH request with Configuration Payload 


References: 


RQ 002 6184, RQ 002 6462 


IUT Role 


Ipsec gateway | Test Case: | TC SEC 6184 01 


with { IUT configured 'to expect IKE_AUTH request to include 

the Configuration Payload' 
} 
ensure that 

{ when { IUT receives IKE_AUTH_request 

not containing (Conf iguration_payload 

containing Conf iguration_Type 
set to 1 CFG_REQUEST } 
then { IUT sends IKE_AUTH_response 

containing (Notify_payload 

containing Notify_Message_Type 

set to 37 FAILED_CP_REQUIRED) } 
} 
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A. 3.4. 3.6 Retransmission Timers 



Test Purpose 


Identifier: 


TP SEC 6030 01 


Summary: 


Test reaction on repeated IKE SA INIT request 


References: 


RQ 002 6030, RQ 002 6046 


IUT Role 


Host | Test Case: | TC SEC 6030 01 


with { ordered ( IUT having received IKE_SA_INIT_request 

and IUT having sent IKE_SA_INIT_response 
} 
ensure that 

{ when { IUT receives previous IKE_SA_INIT_request - - i.e. the same as the 

-- one that it has 
-- already answered 
} 
then { IUT resends previous IKE_SA_INIT_response } 
} 



Test Purpose 


Identifier: 


TP SEC 6030 02 


Summary: 


Test reaction on repeated IKE AUTH request 


References: 


RQ 002 6030, RQ 002 6046 


IUT Role 


Host Test Case: 


| TC SEC 6030 02 


with { ordered ( IUT having received IKE_AUTH_request 




and IUT having sent IKE_AUTH_response) 




t 
ensure that 




{ when { IUT receives previous IKE_AUTH_request 


i.e. the same as the 


— 


one that it has 




already answered 


} 
then { IUT resends previous IKE_AUTH_response } 

} 





Test Purpose 


Identifier: 


TP SEC 6030 03 


Summary: 


Test reaction on repeated CREATE CHILD SA request 


References: 


RQ 002 6030, RQ 002 6046 


IUT Role 


Host | Test Case: | TC SEC 6030 03 


with { ordered ( IUT having received CREATE_CHILD_SA_request 

and IUT having sent CREATE_CHILD_SA_response) 
} 
ensure that 

{ when { IUT receives previous CREATE_CHILD_SA_request - - i.e. the same as 

-- the one that it 
-- has already 
-- answered 
} 
then { IUT resends previous CREATE_CHILD_SA_response } 
} 
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Test Purpose 


Identifier: 


TP SEC 6030 04 


Summary: 


Test reaction on repeated INFORMATIONAL request 


References: 


RQ 002 6030, RQ 002 6046 


IUT Role 


Host | Test Case: | TC SEC 6030 04 


with { ordered ( IUT having received INFORMATIONAL_request 

and IUT having sent INFORMATIONAL_response) 
} 
ensure that 

{ when { IUT receives previous INFORMATIONAL_request - i.e. the same as 

-- the one that it 
-- has already 
-- answered 
} 
then { IUT resends previous INFORMATIONAL_response } 
} 



Test Purpose 


Identifier: 


TP SEC 6033 01 


Summary: 


Test resending of unanswered IKE SA INIT request 


References: 


RQ 002 6033, RQ 002 6045 


IUT Role 


Host Test Case: 


| TC SEC 6033 01 


with { IUT having sent IKE_SA_INIT_request 

} 
ensure that 

{ when { IUT receives no IKE_SA_INIT_response } 
then { IUT resends previous IKE_SA_INIT_request } 
} 



Test Purpose 


Identifier: 


TP SEC 6033 02 


Summary: 


Test resending of unanswered IKE AUTH request 


References: 


RQ 002 6033, RQ 002 6045 


IUT Role 


Host | Test Case: | TC SEC 6033 02 


with { IUT having sent IKE_AUTH_request 

} 
ensure that 

{ when { IUT receives no IKE_AUTH_response } 
then { IUT resends previous IKE_AUTH_request } 
} 



Test Purpose 


Identifier: 


TP SEC 6033 03 


Summary: 


Test resending of unanswered CREATE CHILD SA request 


References: 


RQ 002 6033, RQ 002 6045 


IUT Role 


Host Test Case: 


TC SEC 6033 03 


with { IUT having sent CREATE_CHILD_SA_request 

} 
ensure that 

{ when { IUT receives no CREATE_CHILD_SA_response } 
then { IUT resends previous CREATE_CHILD_SA_request 
} 


} 
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Test Purpose 


Identifier: 


TP SEC 6033 04 


Summary: 


Test resending of unanswered INFORMATIONAL request 


References: 


RQ 002 6033, RQ 002 6045 


IUT Role 


Host Test Case: 


| TC SEC 6033 04 


with { IUT having sent INFORMATIONAL_request 

} 
ensure that 

{ when { IUT receives no INFORMATIONAL_response } 
then { IUT resends previous INFORMATIONAL_request } 

} 



A.3.4.3.7 Version Compatibility 



Test Purpose 


Identifier: 


TP SEC 6065 01 


Summary: 


Test reaction on IKE SA INIT request with major version > 2 


References: 


RQ 002 6065, RQ 002 6066, RQ 002 6237 


IUT Role 


Host | Test Case: | TC SEC 6065 01 


with { IUT ready to establish a Security_Association using IKEv2 


ensure that 


{ when { IUT receives IKE_SA_INIT_request 


containing (IKE_Header 


containing Ma jor_Version 


set to greater than 2) } 


then { IUT discards IKE_SA_INIT_request 


and optionally ( 


IUT sends IKE_SA_INIT_response 


containing (Notify_payload 


containing Notify_Message_Type 


set to 5 INVALID_MAJOR_VERSION) } 
} 



Test Purpose 


Identifier: 


TP SEC 6065 02 


Summary: 


Test reaction on IKE AUTH request with major version > 2 


References: 


RQ 002 6065, RQ 002 6066, RQ 002 6237 


IUT Role 


Host | Test Case: | TC SEC 6065 02 


with { ordered ( IUT having received IKE_SA_INIT_request 


} 
ensure that 


and IUT having sent IKE_SA_INIT_response) 




{ when 


{ IUT receives IKE_AUTH_request 




containing (IKE_Header 




containing Ma jor_Version 




set to greater than 2) } 


then 


{ IUT discards IKE_AUTH_request 




and optionally ( 




IUT sends IKE_AUTH_response 




containing (Notify_payload 




containing Notify_Message_Type 


} 


set to 5 INVALID_MAJOR_VERSION) } 
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Test Purpose 



Identifier: 



TP SEC 6065 03 



Summary: 



Test reaction on CREATE_CHILD_SA request with major version > 2 



References: 



RQ_002_6065, RQ_002_6066, RQ_002_6237 



IUT Role 



Host 



Test Case: 



TC SEC 6065 03 



with { IUT having established an IKE_Security_Association 



ensure that 
{ when 



then 



IUT receives CREATE_CHILD_SA_request 
containing (IKE_Header 

containing Ma jor_Version 

set to greater than 2) } 

IUT discards CREATE_CHILD_SA_request 
and optionally ( 

IUT sends CREATE_CHILD_SA_response 
containing (Notify_payload 

containing Notify_Message_Type 

set to 5 INVALID_MAJOR_VERSION) 



Test Purpose 


Identifier: 


TP SEC 6065 04 


Summary: 


Test reaction on INFORMATIONAL request with major version > 2 


References: 


RQ 002 6065, RQ 002 6066, RQ 002 6237 


IUT Role 


Host 


| Test Case: | TC SEC 6065 04 


with { IUT ha 


ving 


established an IKE_Security_Association 


ensure that 






{ when { 




IUT receives INFORMATIONAL_request 
containing (IKE_Header 

containing Ma jor_Version 

set to greater than 2 } 


then { 




IUT discards INFORMATIONAL_request 


} 


and 


optionally ( 

IUT sends INFORMATIONAL_response 
containing (Notify_payload 

containing Notify_Message_Type 

set to 5 INVALID_MAJOR_VERSION) } 



Test Purpose 


Identifier: 


TP SEC 6068 01 


Summary: 


Test reaction on IKE SA INIT request with major version < 2 


References: 


RQ 002 6068, RQ 002 6067, RQ 002 6069 


IUT Role 


Host Test Case: 


TC SEC 6068 01 


with { IUT ready to establish a Security_Association using 


IKEv2 


s 
ensure that 




{ when { IUT receives IKE_SA_INIT_request 




containing (IKE_Header 




containing Ma jor_Version set 


to 1) } 


then { IUT sends IKE_SA_INIT_response 




containing (IKE_Header 




containing Ma jor_Version set 


to 1 


and containing V_Bit set to 1) } 

} 
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Test Purpose 


Identifier: 


TP SEC 6068 02 


Summary: 


Test reaction on IKE AUTH request with major version < 2 


References: 


RQ 002 6068, RQ 002 6067, RQ 002 6069 


IUT Role 


Host | Test Case: | TC 


SEC 6068 02 


with { ordered ( IUT having sent IKE_SA_INIT_request 




} 
ensure that 




and IUT having received IKE_SA_INIT_response) 










{ when 


{ 


IUT receives IKE_AUTH_request 
containing (IKE_Header 








containing Ma jor_Version set to 


1) } 


then 


{ 


IUT sends IKE_AUTH_response 
containing ( I KE_He ade r 








containing Ma jor_Version set to 


1 


} 




and containing V_Bit set to 1) } 





Test Purpose 


Identifier: 


TP SEC 6068 03 


Summary: 


Test reaction on CREATE CHILD SA request with major version < 


2 




References: 


RQ 002 6068, RQ 002 6067, RQ 002 6069 


IUT Role 


Host 


Test Case: 


TC 


SEC 6068 03 


with { IUT having 


established an IKE_Security_Association 






ensure that 








{ when { IUT 


receives CREATE_CHILD_SA_request 
containing (IKE_Header 








containing Ma jor_Version set 


to 


1) } 


then { IUT 


sends CREATE_CHILD_SA_response 
containing (IKE_Header 








containing Ma jor_Version set 


to 


1 


} 


and containing V_Bit set to 1) } 







Test Purpose 


Identifier: 


TP SEC 6068 04 


Summary: 


Test reaction on INFORMATIONAL request with major version < 2 


References: 


RQ 002 6068, RQ 002 6067, RQ 002 6069 


IUT Role 


Host 


Test Case: 


TC 


SEC 6068 04 


with { IUT having 


established an IKE_Security_Association 






i 
ensure that 








{ when { IUT 


receives INFORMATIONAL_request 
containing (IKE_Header 








containing Ma jor_Version set 


to 


1) } 


then { IUT 


sends INFORMATIONAL_response 
containing ( I KE_He ade r 








containing Ma jor_Version set 


to 


1 


} 


and containing V_Bit set to 1) } 
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Test Purpose 


Identifier: 


TP SEC 6362 01 


Summary: 


Test reaction on CREATE CHILD SA request with unrecognized payload 


References: 


RQ 002 6362, RQ 002 6255 


IUT Role 


Host 


| Test Case: | TC SEC 6362 01 


with { IUT having 


established an IKE_Security_Association 


s 
ensure that 




{ when { IUT 


receives CREATE_CHILD_SA_request 




containing unrecognized (payload 




containing C_Bit set to 1) } 


then { IUT 


sends CREATE_CHILD_SA_response 




containing (Notify_payload 




containing Notify_Message_Type 


} 


set to 1 UNSUPPORTED_CRITICAL_PAYLOAD) } 



Test Purpose 


Identifier: 


TP SEC 6362 02 


Summary: 


Test reaction on INFORMATIONAL request with unrecognized payload 


References: 


RQ 002 6362, RQ 002 6255 


IUT Role 


Host 


| Test Case: | TC SEC 6362 02 


with { IUT having 


established an IKE_Security_Association 


ensure that 




{ when { IUT 


receives INFORMATIONAL_request 




containing unrecognized (payload 




containing C_Bit set to 1) } 


then { IUT 


sends INFORMATIONAL_response 




containing (Not ify_pay load 




containing Notify_Message_Type 


} 


set to 1 UNSUPPORTED_CRITICAL_PAYLOAD) } 



Test Purpose 


Identifier: 


TP SEC 6073 01 


Summary: 


Test reaction on CREATE CHILD SA request with unrecognized payload 


References: 


RQ 002 6073, RQ 002 6256 


IUT Role 


Host 


| Test Case: | TC SEC 6073 01 


with { IUT having 


established an IKE_Security_Association 


i 
ensure that 




{ when { IUT 


receives CREATE_CHILD_SA_request 




containing unrecognized (payload 




containing C_Bit set to 0) } 


then { IUT 


sends CREATE_CHILD_SA_response 


not 


containing (Notify_payload 




containing Notify_Message_Type 


} 


set to 1 UNSUPPORTED_CRITICAL_PAYLOAD) } 
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Test Purpose 


Identifier: 


TP SEC 6073 02 


Summary: 


Test reaction on INFORMATIONAL request with unrecognized payload 


References: 


RQ 002 6073, RQ 002 6256 


IUT Role 


Host 


| Test Case: | TC SEC 6073 02 


with { IUT having 


established an IKE_Security_Association 


s 
ensure that 




{ when { IUT 


receives INFORMATIONAL_request 




containing unrecognized (payload 




containing C_Bit set to 0) } 


then { IUT 


sends INFORMATIONAL_response 


not 


containing (Notify_payload 




containing Notify_Message_Type 


} 


set to 1 UNSUPPORTED_CRITICAL_PAYLOAD) } 



A.3.4.4 Security Parameter Negotiation 
A. 3.4.4.1 Algorithm Negotiation 



Test Purpose 


Identifier: 


TP SEC 6088 01 


Summary: 


Test reaction on IKE SA INIT request with several SA proposal 


References: 


RQ 002 6088, RQ 002 6271 


IUT Role 


Host | Test Case: | TC SEC 6088 01 


with { 


IUT ready to establish a Security_Association using IKEv2 


ensure 


that 


{ 


when { IUT receives IKE_SA_INIT_request 




containing (Security_Association_payload 




containing at least 1 acceptable Proposal ) } 




then { IUT sends IKE_SA_INIT_response 




containing (Security_Association_payload 


} 


containing 1 Proposal) } 



Test Purpose 


Identifier: 


TP SEC 6088 02 


Summary: 


Test reaction on IKE AUTH request with several SA proposal 


References: 


RQ 002 6088, RQ 002 6271 


IUT Role 


Host | Test Case: | TC SEC 6088 02 


with { 


IUT having sent IKE_SA_INIT_request 
and IUT having received IKE_SA_INIT_response 


i 
ensure 


that 


{ 


when { IUT receives IKE_AUTH_request 




containing (Security_Association_payload 

containing at least 1 acceptable Proposal) } 

then { IUT sends IKE_AUTH_response 


} 


containing (Security_Association_payload 
containing 1 Proposal) } 
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Test Purpose 


Identifier: 


TP SEC 6088 03 


Summary: 


Test reaction on CREATE CHILD SA request with several SA proposal 


References: 


RQ 002 6088, RQ 002 6271 


IUT Role 


Host 


| Test Case: | TC SEC 6088 03 


with { 


IUT having 


established an IKE_Security_Association 


i 
ensure 


that 




{ 


when { IUT 


receives CREATE_CHILD_SA_request 
containing (Security_Association_payload 

containing at least 1 acceptable Proposal) } 




then { IUT 


sends CREATE_CHILD_SA_response 
containing (Security_Association_payload 


} 




containing 1 Proposal) } 



Test Purpose 


Identifier: 


TP SEC 6372 01 


Summary: 


Test reaction on IKE SA INIT request with unacceptable SA proposal 


References: 


RQ 002 6372 


IUT Role 


Host | Test Case: | TC SEC 6372 01 


with { IUT ready to establish a Security_Association using IKEv2 


ensure that 


{ when { IUT receives IKE_SA_INIT_request 


containing (Security_Association_payload 


containing no acceptable Proposal) } 


then { IUT sends IKE_SA_INIT_response 


containing (Notify_payload 


containing Notify_Message_Type 


set to 14 NO_PROPOSAL_CHOSEN) } 
} 



Test Purpose 


Identifier: 


TP SEC 6372 02 


Summary: 


Test reaction on IKE AUTH request with unacceptable SA proposal 


References: 


RQ 002 6372 


IUT Role 


Host | Test Case: | TC SEC 6372 02 


with { 


IUT having sent IKE_SA_INIT_request 




and IUT having received IKE_SA_INIT_response 


ensure 


that 


{ 


when { IUT receives IKE_AUTH_request 




containing (Security_Association_payload 




containing no acceptable Proposal) } 




then { IUT sends IKE_AUTH_response 




containing (Notify_payload 




containing Notify_Message_Type 


} 


set to 14 NO_PROPOSAL_CHOSEN) } 
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Test Purpose 


Identifier: 


TP SEC 6372 03 


Summary: 


Test reaction on CREATE CHILD SA request with unacceptable SA proposal 


References: 


RQ 002 6372 


IUT Role 


Host 


| Test Case: | TC SEC 6372 03 


with { IUT having 


established an IKE_Security_Association 


s 
ensure that 




{ when { IUT 


receives CREATE_CHILD_SA_request 




containing (Security_Association_payload 




containing no acceptable Proposal) } 


then { IUT 


sends CREATE_CHILD_SA_response 




containing (Notify_payload 




containing Notify_Message_Type 


} 


set to 14 NO_PROPOSAL_CHOSEN) } 



Test Purpose 


Identifier: 


TP SEC 6373 01 


Summary: 


Test reaction on IKE SA INIT request with invalid Diffie-Hellman value 


References: 


RQ 002 6373, RQ 002 6306 


IUT Role 


Host | Test Case: | TC SEC 6373 01 


with { 


IUT ready to establish a Security_Association using IKEv2 


ensure 


that 


{ 


when { IUT receives IKE_SA_INIT_request 




containing (Key_Exchange_payload 




containing an invalid DH_Group_number) } 




then { IUT sends IKE_SA_INIT_response 




containing (Notify_payload 




containing Notify_Message_Type 


} 


set to 17 INVALID_KE_PAYLOAD) } 



A.3.4.4.2 Cookies 



Test Purpose 


Identifier: 


TP SEC 6081 01 


Summary: 


Test reaction on IKE SA INIT response with COOKIE Notify payload 


References: 


RQ 002 6081, RQ 002 6080, RQ 002 6391 


IUT Role 


Host | Test Case: | TC SEC 6081 01 


with { IUT having sent IKE_SA_INIT_request 


ensure that 


{ when { IUT receives IKE_SA_INIT_response 


containing (Notify_payload 


containing Notify_Message_Type 


set to 16390 COOKIE 


and containing (Notif ication_Data 


containing 'Cookie data') } 


then { IUT sends IKE_SA_INIT_request 


containing (Notify_payload 


containing Notify_Message_Type 


set to 16390 COOKIE 


and containing Notif ication_Data 


set to Notif ication_Data 


received in IKE_SA_INIT_response) 


and containing 'all other payloads from initial 


request unchanged' } 

} 
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A.3.4.4.3 Rekeying 



Test Purpose 



Identifier: 



TP SEC 6101 01 



Summary: 



Test of generating CREATECHILDSA request for rekeying of child SA 



References: 



RQ 002 6101, RQ 002 6172, RQ 002 6173, RQ 002 6397 



IUT Role 



Host 



Test Case: 



TC SEC 6101 01 



with { IUT having established an IKE_Security_Association 
and IUT having established a CHILD_SA 
and IUT 'having detected that the lifetime of the CHILD_SA 

is about to expire' 
and IUT 'able to rekey CHILD_SA within IKE_SA' 



ensure that 

{ when 

then 



IUT is requested to send CREATE_CHILD_SA_request 
IUT sends CREATE_CHILD_SA_request 
containing (Notify_payload 

containing Notify_Message_Type 
set to 163 93 REKEY_SA) } 



Test Purpose 


Identifier: 


TP SEC 6102 01 


Summary: 


Test of deletion of old CREATE CHILD SA after rekeying 


References: 


RQ 002 6102 


IUT Role 


Host | Test Case: | TC SEC 6102 01 


with { IUT having established an IKE_Security_Association 
and IUT having established a CHILD_SA 
and IUT 'having detected that the lifetime of the CHILD_SA 

was about to expire' 
and IUT having sent CREATE_CHILD_SA_request 'for rekeying' 
} 
ensure that 

{ when { IUT receives CREATE_CHILD_SA_response } 
then { IUT sends INFORMATIONAL_request 
containing (Delete_payload 

containing Security_Parameters_Index 
indicating CHILD_SA 'to be deleted') } 
} 



Test Purpose 


Identifier: 


TP SEC 6103 01 


Summary: 


Test of generating CREATE CHILD SA request for rekeying of IKE SA 


References: 


RQ 002 6103 


IUT Role 


Host | Test Case: | TC SEC 6103 01 


with { 

} 
ensure 

{ 

} 


and 
and 


IUT having established an IKE_Security_Association 
IUT having established a CHILD_SA 

IUT 'having detected that the lifetime of the IKE_SA 
was about to expire' 


that 
when 
then 


{ IUT is requested to send CREATE_CHILD_SA_request } 

{ IUT sends CREATE_CHILD_SA_request 

not containing Traf f ic_Selector_payload_initiator 

and not containing Traf f ic_Selector_payload_responder } 
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Test Purpose 


Identifier: 


TP SEC 6105 01 


Summary: 


Test of deletion of old IKE SA after rekeying 


References: 


RQ 002 6105 


IUT Role 


Host | Test Case: | TC SEC 6105 01 


with { IUT having established an IKE_Security_Association 
and IUT having established a CHILD_SA 
and IUT 'having detected that the lifetime of the CHILD_SA 

was about to expire' 
and IUT 'has rekeyed IKE_SA' 
} 
ensure that 

{ when { IUT is requested to send INFORMATIONAL_request } 
then { IUT sends INFORMATIONAL_request 
containing (Delete_payload 

containing Security_Parameters_Index 
indicating IKE_Security_Association 
' to be deleted' ) } 
} 



A. 3.4.4.4 Traffic Selector Negotiation 



Test Purpose 



Identifier: 



TP SEC 6123 01 



Summary: 



Test reaction on CREATECHILDSA request with acceptable and unacceptable traffic selectors 



References: 



RQ 002 6123 



IUT Role 



Host 



Test Case: 



TC SEC 6123 01 



with { IUT having established an IKE_Security_Association 



ensure that 
{ when 



then 



IUT receives CREATE_CHILD_SA_request 

containing (Traf f ic_Selector_payloa 
containing first 

and acceptable T 
and containing next 

and unacceptable 
and containing (Traf f ic_Selector_payloa 
containing first 

and acceptable T 
and containing next 

and unacceptable 
IUT sends CREATE_CHILD_SA_response 



containing 



and containing 



(Traf f ic_Selector_payloa 

containing acceptable T 

received in CREATE_CH 

(Traf f ic_Selector_payloa 

containing acceptable T 

received in CREATE_CH 



d_initiator 

raf f ic_Se lector 

Traffic_Se lector) 
d_responder 

raf f ic_Se lector 

Traffic_Se lector) 

d_initiator 
raf f ic_Se lector 
ILD_SA_request) 
d_responder 
raf f ic_Se lector 
ILD_SA_request) } 
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Test Purpose 


Identifier: 


TP_SEC_6125_01 


Summary: 


Test reaction on CREATE CHILD SA request with acceptable and unacceptable traffic selectors 


References: 


RQ_002_6125, RQ_002_6383 


IUT Role 


Host 


| Test Case: | TC_SEC_6125_01 


with { IUT having establishec 


an IKE_Security_Association 


s 
ensure that 




{ when { IUT receives CREATE_CHILD_SA_request 


containing 


(Traf f ic_Selector_payload_initiator 




containing Traf f ic_Selector 




indicating 'a range of parameters of which 




only a subset is acceptable') 


and containing 


(Traf f ic_Selector_payload_responder 




containing Traf f ic_Selector 




set to 'a range of parameters of which 




only a subset is acceptable') } 


then { IUT sends CREATE_CHILD_SA_response 


containing 


(Traf f ic_Selector_payload_initiator 




containing Traf f ic_Selector 




set to 'acceptable subset of range' 




received in CREATE_CHILD_SA_request ) 


and containing 


(Traf f ic_Selector_payload_responder 




containing Traf f ic_Selector 




set to 'acceptable subset of range' 




received in CREATE_CHILD_SA_request ) 


and optionally 


( 


containing 


( Not ify_pay load 




containing Notify_Message_Type 


} 


set to 16386 ADDITIONAL_TS_POSSIBLE) } 
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